diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 93779117b49d74315894b6308a027bae50abe0c2..38f00367bf2fa36ad7663c89f7849146783b8515 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -4,7 +4,7 @@
, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
, "monitoringvpnEndpoint": "192.168.67.24:51820"
, "passValue": 1000000
-, "issuerDomain": "payments.localdev"
+, "issuerDomains": ["payments.localdev"]
, "letsEncryptAdminEmail": "florian@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index b91d7d2e74e4e3d2b30c5e9bea5b33fa4c6fdf1c..e71cb8b4b5f999e3059f0669c2bc3f92f29242a6 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -2,7 +2,10 @@
, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
, "stripeSecretKeyPath": "./secrets/stripe.secret"
, "passValue": 1000000
-, "issuerDomain": "payments.privatestorage.io"
+, "issuerDomains": [
+ "payments.privatestorage.io"
+ , "payments.private.storage"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"https://privatestorage.io"
diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index ca018157f4cf50acbc7b21e24c5b61a07524dba9..ec28840a2857c621a22658efc14368e4c07aa5db 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -2,7 +2,10 @@
, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
, "stripeSecretKeyPath": "./secrets/stripe.secret"
, "passValue": 1000000
-, "issuerDomain": "payments.privatestorage-staging.com"
+, "issuerDomains": [
+ "payments.privatestorage-staging.com"
+ , "payments.extra.privatestorage-staging.com"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index a16cbb0b1efd0bd707463f11e45351a5e331e21a..58b8a4f20496472409c2063a2923bc29f161d68a 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -1,7 +1,7 @@
{ hardware
, ristrettoSigningKeyPath
, stripeSecretKeyPath
-, issuerDomain
+, issuerDomains
, letsEncryptAdminEmail
, allowedChargeOrigins
, sshUsers
@@ -75,7 +75,7 @@ in rec {
database = "SQLite3";
databasePath = "/var/db/vouchers.sqlite3";
inherit letsEncryptAdminEmail;
- domain = issuerDomain;
+ domains = issuerDomains;
inherit allowedChargeOrigins;
};
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 6ad4f1b8fa01d570e8b6e1d5c4acfbeb42757822..fb93ce35cce8c9cadbad5a04e888b0cca991f9c7 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -18,12 +18,11 @@ in {
The package to use for the ZKAP issuer.
'';
};
- services.private-storage-issuer.domain = lib.mkOption {
- default = "payments.privatestorage.io";
- type = lib.types.str;
- example = lib.literalExample "payments.example.com";
+ services.private-storage-issuer.domains = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ example = lib.literalExample [ "payments.example.com" ];
description = ''
- The domain name at which the issuer is reachable.
+ The domain names at which the issuer is reachable.
'';
};
services.private-storage-issuer.tls = lib.mkOption {
@@ -115,6 +114,10 @@ in {
config =
let
certroot = "/var/lib/letsencrypt/live";
+ # We'll refer to this collection of domains by the first domain in the
+ # list.
+ domain = builtins.head cfg.domains;
+ certServiceName = "cert-${domain}";
in lib.mkIf cfg.enable {
# Add a systemd service to run PaymentServer.
systemd.services.zkapissuer = {
@@ -124,7 +127,7 @@ in {
# Make sure we have a certificate the first time, if we are running over
# TLS and require a certificate.
- requires = lib.optional cfg.tls "cert-${cfg.domain}.service";
+ requires = lib.optional cfg.tls "${certServiceName}.service";
after = [
# Make sure there is a network so we can bind to all of the
@@ -133,7 +136,7 @@ in {
] ++
# Make sure we run after the certificate is issued, if we are running
# over TLS and require a certificate.
- lib.optional cfg.tls "cert-${cfg.domain}.service";
+ lib.optional cfg.tls "${certServiceName}.service";
# It really shouldn't ever exit on its own! If it does, it's a bug
# we'll have to fix. Restart it and hope it doesn't happen too much
@@ -157,9 +160,9 @@ in {
if cfg.tls
then
"--https-port 443 " +
- "--https-certificate-path ${certroot}/${cfg.domain}/cert.pem " +
- "--https-certificate-chain-path ${certroot}/${cfg.domain}/chain.pem " +
- "--https-key-path ${certroot}/${cfg.domain}/privkey.pem"
+ "--https-certificate-path ${certroot}/${domain}/cert.pem " +
+ "--https-certificate-chain-path ${certroot}/${domain}/chain.pem " +
+ "--https-key-path ${certroot}/${domain}/privkey.pem"
else
# Only for automated testing.
"--http-port 80";
@@ -179,20 +182,20 @@ in {
# Certificate renewal. We must declare that we *require* it in our
# service above.
- systemd.services."cert-${cfg.domain}" = {
+ systemd.services."${certServiceName}" = {
enable = true;
- description = "Issue/Renew certificate for ${cfg.domain}";
+ description = "Certificate ${domain}";
serviceConfig = {
ExecStart =
let
configArgs = "--config-dir /var/lib/letsencrypt --work-dir /var/run/letsencrypt --logs-dir /var/run/log/letsencrypt";
in
- pkgs.writeScript "cert-${cfg.domain}-start.sh" ''
+ pkgs.writeScript "cert-${domain}-start.sh" ''
#!${pkgs.runtimeShell} -e
# Register if necessary.
${pkgs.certbot}/bin/certbot register ${configArgs} --non-interactive --agree-tos -m ${cfg.letsEncryptAdminEmail} || true
# Obtain the certificate.
- ${pkgs.certbot}/bin/certbot certonly ${configArgs} --non-interactive --standalone --domains ${cfg.domain}
+ ${pkgs.certbot}/bin/certbot certonly ${configArgs} --non-interactive --standalone --expand --domains ${builtins.concatStringsSep "," cfg.domains}
'';
};
};
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 59ee2fec949be247143041379626f35b7d8bf657..667bdd26215b4e0978781244741dd4c5313cefbd 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -37,6 +37,10 @@
# password-based authentication at all.
PermitEmptyPasswords no
+ # Agent forwarding is fraught. It can be used by an attacker to
+ # leverage one compromised system into more. Discourage its use.
+ AllowAgentForwarding no
+
# Only allow authentication as one of the configured users, not random
# other (often system-managed) users. Possibly this is also
# superfluous! NixOS system users have nologin as their shell ... so they
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index e085f8bc7142da4067745bdee233c82e7b1e8d1c..cbf4c5937ca6780ce9e931d6ceec91c29643fbc3 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -134,7 +134,7 @@ in {
services.private-storage-issuer = {
enable = true;
- domain = "issuer";
+ domains = ["issuer"];
tls = false;
issuer = "Ristretto";
inherit ristrettoSigningKeyPath;